Search Our Database

Introduction

ConfigServer Security & Firewall (CSF) is an advanced iptables-based firewall used to secure Linux servers. One of CSF’s powerful features is the ability to control traffic based on a visitor’s country using GeoIP lookups.

This article explains how to configure country-based IP allowance using CSF.

📝 Note: This guide assumes CSF is already installed and working on your server.

Pre-requisites

Before you begin:

• Ensure you have root or sudo access to the server.
• UFW should be disabled if it is active (ufw disable)
• Confirm that CSF is installed (csf -v) and running in enabled mode.
• Familiarity with editing files using vi.

Step-by-step guide

Step 1: Disable CSF Testing Mode (If Still Enabled)

CSF runs in testing mode by default after installation. To enable full firewall rules:

1. Open the CSF configuration file:

vi /etc/csf/csf.conf

2. In vi:

• Press i to enter Insert mode
• Locate the following line:
  • TESTING = “1”
• Change it to:
  • TESTING = “0”
• Press Esc, type :wq, and hit Enter to save and exit.

3. Restart CSF to apply the changes:

csf -r

Step 2: Configure Country-Based Allowance

1. Open the CSF configuration file:

vi /etc/csf/csf.conf

2. In vi:

• Press i to enter Insert mode
• Find the line:
  • CC_ALLOW =
• Add the country codes you wish to allow, for example (United States, Singapore):
  • CC_ALLOW = US,SG
• Also ensure this line is set to enable GeoIP lookups:
  • CC_LOOKUPS = “1”
• Press Esc, type :wq, and hit Enter to save and exit.

3. Restart CSF to activate the rules:

csf -r

✅ You can find ISO 2-letter country codes here: ISO 3166-1 alpha-2

Conclusion

Your Ubuntu server is now configured to allow traffic only from specific countries using CSF’s GeoIP functionality. This provides an extra layer of security by restricting access to trusted regions.

If you need further assistance, feel free to contact us at support@ipserverone.com.